dive short:
The multibillion-dollar cybersecurity industry is the result of misaligned incentives, with the tech industry prioritizing speed to market over security, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said at a Hack the Capitol Wednesday. -event. Easterly’s comments build on federal pressure to place the burden of security on technology vendors rather than their customers, a core component of the recently released national cyber strategy. As artificial intelligence and generative AI solutions descend into the technology ecosystem, the same concerns about security falling by the wayside apply. “I think we need to be very, very aware of making some of the mistakes with artificial intelligence that we’ve made with technology,” Easterly said.
Dive Insight:
US cybersecurity officials are out to drive home the core principles of national cyber strategy in an effort to support critical infrastructure. This week, Acting National Cyber Director Kemba Walden shared how the strategy was largely well received. And Anne Neuberger, deputy national security adviser for cyber and emerging technologies, outlined efforts to counter ransomware, with some consideration for a ransom ban.
Easterly, too, is doing its part to bring the tech industry and critical infrastructure operators together to rethink security.
“We don’t have a cyber problem, we have a technology and culture problem,” Easterly said. “Because at the end of the day, we’ve allowed speed to come to market and really put features in the backseat.”
No place in technology embodies speed to market better than generative AI. The craze that OpenAI sparked with the release of ChatGPT has launched a race to integrate the technology into every facet of the enterprise toolchain.
Microsoft, Google, and AWS moved to intertwine generative AI offerings, and IBM followed suit this week. Vendors are incorporating AI into core products that end users interact with, from Slack to Google’s productivity suite, including Docs and Sheets.
That is not to say that these products are unsafe. On the contrary, they have just quickly entered the market and are revising the way users interact with technology.
For Easterly, the primary way to catalyze a more sustainable approach to security that isn’t about how many attacks happened post-mortem is to shift security as far to the left as possible.
In that way, technology manufacturers and software vendors, which are billion-dollar companies, carry a much greater burden, she said.
“They own the outcomes of security, which means they develop technology that is secure by design, which means they are tested and developed to mitigate vulnerabilities as much as possible,” Easterly said. “It’s not going to zero.”
But, Easterly said, companies can roll back vulnerabilities without expecting customers to rush to patch each month when vulnerabilities are released.
